Many-to-One Client Certificate mapping is used by Internet Information Services (IIS) to associate an end-user to a Windows account when the client certificate is used for user authentication. The user's session is executed under the context of this mapped Windows account by IIS. For this to work as expected, you need to ensure that the certificate-to-account mapping is configured correctly in IIS.

In IIS 6.0, users had the option to configure Many-to-One client certificate mapping through the IIS Manager User Interface. In IIS 7.0 and 7.5, that interface does not exist for either One-to-One or Many-to-One mappings. This article talks about using the Configuration Editor feature of IIS to configure Many-to-One client certificate mappings.

NOTE: For information about using the Configuration Editor to configure One-to-One client certificate mappings, please see the following article:

Prerequisites

You have installed the IIS Client Certificate Mapping module on the IIS server.

A Web Site is configured with an HTTPS binding which can accept SSL connections.

You have a client certificate installed on the client.

The IIS 7 Administration Pack is installed on the IIS 7.0 server. NOTE: Configuration Editor is shipped by default on IIS 7.5.

Walkthrough

Step 1:

1. Launch theIIS manager and select the web site to be configured for client certificate authentication.

2. In the Features view select Configuration Editor under the Management section.

3. Go to "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" in the drop-down box as shown below:

You will see a window to configure Many-to-One or One-to-One certificate mappings here. This is the UI provided through Configuration Editor from where you can set up all of the mapping configurations.

4. Modify the properties through this GUI.

Set enabled to true

Set manyToOneCertificateMappingsEnabled to True

Select manyToOneMappings and click on the ellipsis button to launch a new window for configuring mappings.

5. Under this new window click to Add a new item. You can modify the properties from within the window as shown below:

6. Click on the ellipsis button for rules which will give you the option to add multiple patterns for matching based on the certificate properties.

In these example images, there are two entries for rules for mapping the certificate. First, there are the Subject and Issuer fields in the certificate. Second, there is the matchcriteria property the map the certificate to the account mydomain\testuser.

In the image below, the final mapping for a specific windows account is illustrated. As you can see there are two entries for rules for this account.

Similarly, you can have other mappings for the accounts based on the fields “Issuer” and “Subject” in the Certificate.

Appendix

So far what has been illustrated is achieved using the Configuration Editor, which provides a graphical interface to easily set the configuration. You can achieve the same thing using APPCMD.exe commands, and in fact the Configuration Editor does the same thing in the background and adds these settings into the ApplicationHost.config file.

Configuration Editor also gives you an option to run these commands manually, and it generates the scripts to achieve this from inside the UI itself:

These are the code snippets to perform the same steps as above to configure the certificate mapping. They were was generated using Configuration Editor's Script Generation feature.